Global WordPress Brute Force Attack
Wordpress Login - Brute Force Attack
There is a worldwide, highly-distributed WordPress attack that is ongoing. This attack is known to be using forged or spoofed IP addresses. We are actively blocking the most common attacking IP addresses across our server farm. The following steps can be used to secure (by password protection)
wp-login.phpfor all WordPress sites in your cPanel account:
How to Password Protect the wp-login.php File
There are two (2) steps in accomplishing this. First you need to define a password in the
.wpadminfile, and then you activate the security in the
Step 1: Create the Password File
Create a file named
.wpadminand place it in your home directory, where visitors can't access it. (Please note there is a period preceding the wpadmin in that file name.) The following example is for cPanel. Plesk would require placing the file in
/home/username/.wpadmin(where "username" is the cPanel username for the account.)
Put the username and encrypted password inside the
.wpadminfile, using the format
john:n5MfEoHOIQkKg(where "john" is a username of your choice, and the password shown is encrypted.)
Option A: Generate Password File & Uploading Via File Manager
One way to do this is to generate the file using the website linked below, and then upload it to your site via FTP or File Manager. In the directions below, we will use File Manager, but you could use FTP instead, for those of you familiar with FTP.
- Visit: http://www.htaccesstools.com/htpasswd-generator/
- Use the form to create the username and password.
- Login to cPanel in another window.
- Click on File Manager
- Select "Home Directory"
- Check "Show Hidden Files (dotfiles)" if not already checked.
- Click on the "Go" button.
- Look for a
- If one exists, right click on it and select "Code Edit" to open the editor. Click on the Edit button to edit the file.
- If one does not exist, click on "New File" at the top of the page, and specify the name as
.wpadmin(with the dot at the front) and click on the "Create New File" button.
- Paste the code provided from the website in step 2.
- Click on the "Save Changes" button when complete.
- You can "Close" the file when finished.
Option B: Creating the Password File via SSH / Command Line
To create the encrypted password you will need to use a utility such as the command-line program htpasswd. More detailed technical information about htpasswd can be found at http://httpd.apache.org/docs/current/programs/htpasswd.html.
An example would be to do this:htpasswd -c /home/username/.wpadmin john
You would then be prompted to enter the password you wish to use for the username "john" in order to access the wp-login page. You can then log into the wp-admin interface as you normally would. There are many other online tools that can be used to convert standard passwords to encrypted for this purpose.
Step 2: Update the .htaccess File
All domains under the home directory will share the common
.wpadminfile, and that previous command creates the
/home/username/.wpadminfile due to the -c. The last step is to place the following code in the
/home/username/.htaccessfile:ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
AuthName "Authorized Only"